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CLAIMS 

1. A system arranged to provide a gateway between a first network arid a second network, the system 
comprising: 

5 interface means to receive from the first network a message intended for an object in the 

second network, the message including an identifier for a further object in cither the first or second 
network; 

means to generate further interface means for receiving from the second network messages for 
the further object; 

10 means to form a new identifier for the further interface means; 

means to replace the received identifier with the new identifier in the message; and 
means to forward the message to the object in the second network. 



2. A system according to claim 1, wherein the new identifier includes information to enable 
1 5 subsequent recovery by the system of the received identifier. 

3. A system according to claim 2, wherein the new identifier includes a representation of the received 
identifier. 



20 4. A system according to claim 2, wherein the new identifier includes an indication of the identity of 
the received identifier and the system includes means to associate said indication with said received 
identifier. 



5. A system according to My-erig'T>F#ie-pirecedin g cla i ms , comprising means to include in the new 
25 identifier a name tag to identify the interface means. 

CIcl: ry^ \ . .. 

6. A system according to any one o f the prooodmg - olaim s, comprising means to include in the new 

identifier check data for checking the validity of the or at least a part of the new identifier. 

30 7. A system according to claim 6, wherein the check data comprises the result of a hash operation on 
the, or the at least part of the, new identifier and a secret 

8. A system according tOyaH^Sa o a^^o proood i ng 'elams, comprising means to include in the new 
identifier an indication that the received identifier was received in an message from the first (or 
35 second) networic 
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9. A system according to claim 1, comprising means to determine whether the received identifier 
originated from the first network or the second network. 

10. A system according to claim 9, comprising means to form the new identifier on the basis of the 
5 determined origin. 

11. A system according to claim 10, wherein, if the received identifier originated in the first network, 
the means to form the new identifier forms a new identifier including infonnation to enable 
subsequent recovery by the system of the received identifier. 

10 

12. A system according to claim 10, wherein, if the received identifier originated in the second 
network, having passed through the system from the second network to the first network, the means to 
form the new identifier forms a new identifier comprising an original identifier recovered from 
information included in the received identifier. 

15 

13. A system according to claim 10, wherein, if the received identifier originated in the first network, 
having passed through the system from the first network to the second network and having passed 
back to the first network other than through the system, the means to form the new identifier forms the 
new identifier as a copy of the received identifier. 

20 

14. A system according to claim 1, comprising means to detect a name tag in the message. 

15. A system according to claim 14, comprising means to determine on the basis of the name tag 
whether the object in the second network is valid and is still available to receive messages. 

25 

16. A system according to claim 15, wherein the means to determine initiates a call to a naming 
service, the naming service being configurable by an authorised party by adding or removing name 
tags, and the presence or absence of a name tag being indicative of whether the object associated with 
the name tajg is available or not respectively. 

30 

17. A system according to claim 1, comprising means to verify the received identifier. 

18. A system according to claim 17, wherein identifier includes check data to enable verification of 
the received identifier. 

35 

19. A system according to claim 18, wherein the check data is the result of a hash operation enacted 
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on at least part of the identifier and a secret, and the means to verify the received identifier is 
configured to enact a similar hash operation on the same part of the identifier and a secret and compare 
the resulting check data with the received check data. 

5 20. A system according to claim 19, wherein the secret is stored by and only accessible by the 
gateway. 

21. A system according to claim 1, wherein the means to generate the further interface means 
comprises means to determine on the basis of the received identifier whether a template for an 

10 appropriate further interface means is already known to the system. 

22. A system according to claim 21, wherein the means to generate the further interface means 
comprises means, which is operable in the event an appropriate template is not known to the system, 
to obtain an appropriate template fi-om a remote repository. 

15 

23. A system according to claim 21 or claim 32, wherein the means to generate the further interface 
means comprises means, which is operable in the event no appropriate template is known to the 
system and/or an appropriate template is not recoverable fix>m a remote repository, to obtain a generic 
template. 

24. A system according to eay-one of claims 21 lu 23, wherein the means to generate the further 
interface is arranged to at least obtain a template for the further interface means on or after receipt of 
the received identifier and in advance of receipt of a message for the further object 

C4 a: I . , 

25 25. A system according to any one of the y i tceJmg oluu i ie> configured for operation m a trusted 
operating system. 

26. A system according to claim 25, wherein the trusted operating system enforces Mandatory Access 
Control. 



30 



35 



27. A system according to claim 26, comprising at least two logical compartments and a trusted relay 
process that has privileges necessary to pass messages between the two compartments, wherein the 
first network and the respective interface means are associated with a first compartment and the 
second network is associated with a second compartment. 

28. A system according to claim 26 or olaim 2 ^, wherein a secret, usable by the system in a hash 
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operation for validating object references, is associated with a third compartment, and wherein only 
the trusted relay process has the privileges necessary to retrieve the secret from the fiirther 
compartment in order to enact a hash operation. 

5 29. A system according to claim 1, wherein the received identifier is an Interoperable Object 
Reference having the form IOR[host: port: key]. 



Interoperable Object Reference having the form IOR[host x: port x: key x], wherein key x includes 
10 information to enable subsequent recovery by the system of the received identifier. 

31. A system according to claim 30, wherein key x includes a representation of the received object 
reference IOR[host i: port i: key i]. 

15 32. A system according to claim 30 or claim 3^ , wherein key x includes: 



20 33. A method of controlling a gateway to pass messages for objects between first and second 
networics attached to the gateway, the method comprising the steps of: 

receiving from the first network a message for an object in the second network, the message 
including an identifier for a fiirther object in either the first or second network; 




an identifier to indicate from which network the object reference originated; 
a name tag associated with an identity of the gateway process; and 
check data for verifying the validity of the object reference. 



25 



generating means to receive messages for the finther object; 
forming a new identifier for the means to receive messages for the fiirther object; 
replacing the received identifier with the new identifier in the message; and 
forwarding the message to the object in the second network. 



